Puppet Class: openstack::horizon::source_deploy

Defined in:
modules/openstack/manifests/horizon/source_deploy.pp

Overview

Because we deploy Horizon from source, and because the OpenStack APIs are backwards-compatible, we typically deploy a newer version of Horizon than the other OpenStack services.

That means we track two different version settings here:

$horizon_version: the actual version of Horizon that's running

$openstack_version: the version used for the other openstack
 services on e.g. cloudcontrol1001.

We need to know the value of $openstack_version so that we can pull the policy files that Horizon uses from the appropriate services and avoid having to duplicate them just for Horizon to consume.

Parameters:

  • horizon_version (String)
  • openstack_version (String)
  • keystone_api_fqdn (Stdlib::Fqdn)
  • dhcp_domain (Stdlib::Fqdn)
  • instance_network_id (String)
  • ldap_rw_host (Stdlib::Host)
  • ldap_user_pass (String)
  • all_regions (Array[String])
  • puppet_git_repo_name (String)
  • puppet_git_repo_user (String)
  • secret_key (String)
  • venv_dir (String) (defaults to: '/srv/deployment/horizon/venv')
  • webserver_hostname (Stdlib::Fqdn) (defaults to: 'horizon.wikimedia.org')
  • maintenance_mode (Boolean) (defaults to: false) 


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
 
# File 'modules/openstack/manifests/horizon/source_deploy.pp', line 16

class openstack::horizon::source_deploy(
    String        $horizon_version,
    String        $openstack_version,
    Stdlib::Fqdn  $keystone_api_fqdn,
    Stdlib::Fqdn  $dhcp_domain,
    String        $instance_network_id,
    Stdlib::Host  $ldap_rw_host,
    String        $ldap_user_pass,
    Array[String] $all_regions,
    String        $puppet_git_repo_name,
    String        $puppet_git_repo_user,
    String        $secret_key,
    String        $venv_dir           = '/srv/deployment/horizon/venv',
    Stdlib::Fqdn  $webserver_hostname = 'horizon.wikimedia.org',
    Boolean       $maintenance_mode   = false,
) {
    ensure_packages([
        'python-wheel',
        'python-virtualenv',
        'virtualenv',
        'gettext',
    ])

    $puppet_git_repo_key_path = '/home/horizon/.ssh/instance-puppet-user.priv'

    file { '/etc/openstack-dashboard/local_settings.py':
        content => template("openstack/${horizon_version}/horizon/local_settings.py.erb"),
        mode    => '0444',
        owner   => 'root',
        notify  => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/nova_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/nova/common/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/keystone_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/keystone/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/glance_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/glance/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/designate_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/designate/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/neutron_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/neutron/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/cinder_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/cinder/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    file { '/etc/openstack-dashboard/trove_policy.yaml':
        source => "puppet:///modules/openstack/${openstack_version}/trove/policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    # A user and group to run this as
    group { 'horizon':
        ensure => present,
        name   => 'horizon',
        system => true,
    }

    user { 'horizon':
        gid        => 'horizon',
        system     => true,
        managehome => true,
    }

    # This is a trivial policy file that forbids everything.  We'll use it
    #  for services that we don't support to prevent Horizon from
    #  displaying spurious panels.
    file { '/etc/openstack-dashboard/disabled_policy.yaml':
        source => "puppet:///modules/openstack/${horizon_version}/horizon/disabled_policy.yaml",
        owner  => 'root',
        mode   => '0444',
        notify => Service['apache2'],
    }

    scap::target { 'horizon/deploy':
        deploy_user  => 'deploy-service',
        service_name => 'apache2',
    }

    # allow deploy-service to restart apache as root.
    # Also, it needs to sudo as horizon to gather and compress
    #  static content.
    sudo::user { 'deploy-service':
        privileges => [
            'ALL = (root) NOPASSWD: /usr/sbin/service apache2 start',
            'ALL = (root) NOPASSWD: /usr/sbin/apache2ctl graceful-stop',
            'ALL = (horizon) NOPASSWD: ALL',
            'ALL = (root) NOPASSWD: /bin/chown -R horizon /srv/deployment/horizon/venv/*',
            'ALL = (root) NOPASSWD: /bin/chown -R deploy-service /srv/deployment/horizon/venv/*',
        ],
    }

    httpd::site { $webserver_hostname:
        content => template("openstack/${horizon_version}/horizon/${webserver_hostname}.erb"),
        require => File['/etc/openstack-dashboard/local_settings.py'],
    }

    # We need to do some work that would otherwise by handled by the horizon
    #  debian package
    file { '/etc/openstack-dashboard':
        ensure => 'directory',
        owner  => 'root',
    }

    # Prepare this directory for scap to drop some files into
    file { '/etc/openstack-dashboard/default_policies':
        ensure  => 'directory',
        owner   => 'deploy-service',
        require => File['/etc/openstack-dashboard'],
    }

    file { '/var/lib/openstack-dashboard':
        ensure => 'directory',
        owner  => 'horizon',
        group  => 'horizon',
        mode   => '0755',
    }

    file { '/var/lib/openstack-dashboard/static':
        ensure  => 'directory',
        owner   => 'horizon',
        mode    => '0755',
        require => File['/var/lib/openstack-dashboard'],
    }

    file { '/var/lib/openstack-dashboard/static/maintenance.html':
        source  => 'puppet:///modules/openstack/horizon/maintenance.html',
        owner   => 'horizon',
        group   => 'horizon',
        mode    => '0755',
        require => File['/var/lib/openstack-dashboard/static'],
    }

    # Get ready to host a local git repo of instance puppet config
    file { '/home/horizon/.ssh/':
        ensure => 'directory',
        owner  => 'horizon',
        mode   => '0600',
    }

    file { $puppet_git_repo_key_path:
        ensure    => file,
        owner     => 'horizon',
        group     => 'horizon',
        mode      => '0600',
        content   => secret('ssh/instance-puppet-user/instance-puppet-user_privkey.pem'),
        show_diff => false,
    }

}